FBI frets about dumb security in smart meters

The FBI is seeing increasing hacks on electricity smart meters, with most attacks designed to let consumers get power without paying for it.

Krebs on Security claims to have an FBI intelligence bulletin that outlines the agency’s growing concern at smart meter hacks – and which along the way highlights the cavalier attitude smart meter designers have to security.

The FBI bulletin, Brian Krebs says, enumerates a variety of approaches to getting free power out of smart meters: at the sophisticated end, the attacker has build a DIY optical interface to connect to the device and modify its software. At the “who could be so stupid” end of the hacks, the Feds say some smart meters can be fooled into recording the wrong power usage by placing a magnet on top.

“This method is being used by some customers to disable the meter at night when air-conditioning units are operational. The magnets are removed during working hours when the customer is not home, and the meter might be inspected by a technician from the power company,” the bulletin states.

Krebs says the alert he has obtained was issued by the FBI after it investigated incidents of power theft in Puerto Rico assessed as worth as much as $US400 million annually. While it was the first time the Feds got involved in the issue, the bulletin notes that “The FBI assesses with medium confidence that as Smart Grid use continues to spread … this type of fraud will also spread because of the ease of intrusion and the economic benefit to both the hacker and the electric customer”.

Smart meter security has been the topic both of legitimate concerns, at the same time feeding into a growing anti-smart-meter movement in many countries. Earlier this year, German researchers demonstrated serious privacy flaws in a smart meter scheme that allowed attackers to intercept meter data and determine householders’ TV viewing habits and whether or not they were home.

As far back as 2010, researchers in the UK were warning that smart meter security was so poor it offered attackers a remote “kill switch” they could use against electricity consumers. ®